New HardenedBSD release

August 7, 2015 ~ hucktech ~ Leave a comment

A new release of HardenedBSD is available: v28 version of 10-STABLE as well as 11-CURRENT.

Please welcome the v28 version of @HardenedBSD 10-STABLE – https://t.co/ZajsPGbChG

— O. P. (@Zer0Pntr) August 6, 2015

HardenedBSD is a security-enhanced fork of FreeBSD, created in 2014 by Oliver Pinter and Shawn Webb. HardenedBSD aims to implement innovative exploit mitigation and security solutions for FreeBSD. The project works with upstream FreeBSD and any other FreeBSD-based project to include any security improvements. NanoBSD is the embedded subset of FreeBSD. FreeBSD — at least the last time I checked — was the only BSD distro that supports UEFI. Recently, HardenedBSD 11-CURRENT was released:
https://hardenedbsd.org/article/oliver-pinter/2015-07-24/hardenedbsd-11-current-amd64-x86-64-installers
https://github.com/HardenedBSD/hardenedBSD

The AArch64 port of FreeBSD has been progressing well. I’ve not built HardenedBSD for AArch64 myself yet, but it appears that someone can, there’s a VM version at least:

A wild #ARM64 #HardenedBSD VM has appeared! Full screenshot: http://t.co/4CVZxzJzYZ pic.twitter.com/NKXNUeE4WV

— Shawn Webb (@lattera) August 4, 2015

ZFS for FreeBSD’s for UEFI boot loader

July 27, 2015 ~ hucktech ~ Leave a comment

From the FreeBSD Quarterly Status Report, FreeBSD’s boot loaders have a patch to support ZFS booting:

ZFS Support for UEFI Boot/Loader: UEFI-enabled boot1.efi and loader.efi have been modified to support loading and booting from a ZFS filesystem. The patch currently works with buildworld, and successfully boots on a test machine with a ZFS partition. In addition, the ZFS-enabled loader.efi can be treated as a chainloader using ZFS-enabled GRUB. The work on boot1.efi also reorganizes the code somewhat, splitting out the filesystem-specific parts into a modular framework. Open tasks:
1) More testing is needed for the following use cases: ZFS with GRUB+loader.efi, ZFS with boot1+loader.efi, UFS with boot1+loader.efi (to test the modularization of boot1.efi)
2) Have boot1.efi check partition type GUIDs before probing for filesystems.
3) Get patch accepted upstream and committed.

More Information:
https://www.freebsd.org/news/status/report-2015-04-2015-06.html#ZFS-Support-for-UEFI-Boot/Loader
https://wiki.freebsd.org/IdeasPage#ZFS_Boot_Environment_menu_for_GPT.2FEFI_boot
http://lists.freebsd.org/pipermail/freebsd-hackers/2015-March/047486.html
https://wiki.freebsd.org/UEFI#Tasks

FreeBSD 10.2 beta1 released

July 11, 2015 ~ hucktech ~ Leave a comment

Today FreeBSD announced availability of release 10.2-BETA1.

Amongst the new features/changes in this release, for firmware these changes are interesting:

* The uefisign(8) utility has been added. [r282974] (Sponsored by The FreeBSD Foundation)
* The acpi(4) subsystem has been updated to version 20150515. [r284460]
* Throttling via ACPI and P4TCC via device.hints(5) have been turned off by default. [r276986]
* The boot loader has been updated to support entering the GELI passphrase before loading the kernel. To enable this behavior, add geom_eli_passphrase_prompt=”YES” to loader.conf(5). [r281843]
* The memory test run at boot time on FreeBSD/amd64 platforms has been disabled by default. [r283262] (Sponsored by The FreeBSD Foundation)

Besides the above changes, there’ve also been a variety of iSCSI changes, unclear if this impacts UEFI’s iSCSI at all. And the Hyper-V drivers have been updated, sponsored by Microsoft’s Open Source Technology Center. [I am ignorant to Hyper-V technology, I guess I need to check how open source Hyper-V code in NanoBSD impacts UEFI.]

More Information:
https://www.freebsd.org/relnotes/10-STABLE/relnotes/article.html
https://lists.freebsd.org/pipermail/freebsd-stable/2015-July/082704.html

PS: Unrelated to FreeBSD release, appears Intel CHIPSEC team is about to release 1.2.1, there is activity on their Github site:

https://github.com/chipsec/chipsec

Recent FreeBSD firmware improvements

May 22, 2015 ~ hucktech ~ Leave a comment

Like Linux, FreeBSD now also supports UEFI. PC-BSD and TrueOS are FreeBSD-based, as is NanoBSD, the embedded subset of FreeBSD.

Besides UEFI pre-OS tool support, FreeBSD also has Forth-based OpenFirmware /boot/loader, with numerous diagnostic commands (autoboot, bcachestat, boot, echo, heap, help, include, load, load_geli, ls, lsdev, more, pnpscan, read, reboot, set, show, unload, unset, ?).

Earlier this week, PC-BSD 10.1.2 has been released. Amongst the changes I notice two firmware-related improvements for this release:

* Support for encrypted iSCSI backups via Life-Preserver, including support for bare-metal restores via installer media

* Improvements to Online Updater, along with GRUB nested menus for Boot-Environments

Firmware changes aside, they’ve been adding some interesting security features: /-level encryption for ZFS, PersonaCrypt Utility, with Stealth Mode, Tor mode for firewall, etc.

More information:

10.1.2 release:
http://lists.pcbsd.org/pipermail/announce/2015-May/000076.html
http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-released/
https://www.freebsdnews.com/

FreeBSD and UEFI:
https://www.freebsd.org/doc/en/books/handbook/boot.html
https://www.freebsd.org/cgi/man.cgi?query=uefi&apropos=0&sektion=8&manpath=FreeBSD+11-current&format=html
https://wiki.freebsd.org/SecureBoot
https://wiki.freebsd.org/UEFI
http://bsdmag.org/beyond-bios-the-extended-firmware-interface -efi/

/boot/loader:
https://www.freebsd.org/cgi/man.cgi?query=loader%288%29
http://ficl.sourceforge.net/ficl.html